Azure - Creating a network security group to limit incoming RDP traffic to campus

Azure - Creating a network security group to limit incoming RDP traffic to campus

PowerShell

The following PowerShell script can be used to create a network security group that restricts incoming RDP traffic to Well-known UW-Madison Campus IP address ranges and hosts :
# Customize the following fields for your Azure subscription
$subscriptionName = "<Subscription Name>"
$rgName = "<Name of Resource Group in which to create the network security group>"
$location = "<Location of rgName>"
$nsgName = "allow-incoming-rdp-from-campus"

Login-AzureRmAccount
Get-AzureRmSubscription -SubscriptionName $subscriptionName | Select-AzureRmSubscription

$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName $rgName -Location $location -Name $nsgName
$nsgRule1000 = Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Direction Inbound -Name default-allow-rdp-from-campus-72.33.0.0_23 -Priority 1000 -SourceAddressPrefix 72.33.0.0/23 -SourcePortRange * -Protocol Tcp -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow
$nsgRule1010 = Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Direction Inbound -Name default-allow-rdp-from-campus-72.33.2.0_23 -Priority 1010 -SourceAddressPrefix 72.33.2.0/23 -SourcePortRange * -Protocol Tcp -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow
$nsgRule1020 = Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Direction Inbound -Name default-allow-rdp-from-campus-144.92.0.0_16 -Priority 1020 -SourceAddressPrefix 144.92.0.0/16 -SourcePortRange * -Protocol Tcp -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow
$nsgRule1030 = Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Direction Inbound -Name default-allow-rdp-from-campus-128.104.0.0_16 -Priority 1030 -SourceAddressPrefix 128.104.0.0/16 -SourcePortRange * -Protocol Tcp -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow
$nsgRule1040 = Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Direction Inbound -Name default-allow-rdp-from-campus-128.105.0.0_16 -Priority 1040 -SourceAddressPrefix 128.105.0.0/16 -SourcePortRange * -Protocol Tcp -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow
$nsgRule1050 = Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Direction Inbound -Name default-allow-rdp-from-campus-146.151.0.0_17 -Priority 1050 -SourceAddressPrefix 146.151.0.0/17 -SourcePortRange * -Protocol Tcp -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow
$nsgRule1060 = Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Direction Inbound -Name default-allow-rdp-from-campus-146.151.128.0_17 -Priority 1060 -SourceAddressPrefix 146.151.128.0/17 -SourcePortRange * -Protocol Tcp -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow
$nsgRule1070 = Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Direction Inbound -Name default-allow-rdp-from-campus-198.133.224.0_24 -Priority 1070 -SourceAddressPrefix 198.133.224.0/24 -SourcePortRange * -Protocol Tcp -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow
$nsgRule1080 = Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Direction Inbound -Name default-allow-rdp-from-campus-198.133.225.0_24 -Priority 1080 -SourceAddressPrefix 198.133.225.0/24 -SourcePortRange * -Protocol Tcp -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow
$nsgRule1090 = Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Direction Inbound -Name default-allow-rdp-from-campus-198.51.254.0_24 -Priority 1090 -SourceAddressPrefix 198.51.254.0/24 -SourcePortRange * -Protocol Tcp -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow
Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $nsg
Get-AzureRmNetworkSecurityGroup -ResourceGroupName $rgName -Name $nsgName

Azure Resource Manager template

Customers who would prefer to create the network security group above using Azure Resource Manager templates and Azure PowerShell can do so by downloading ExportedTemplate-allow-incoming-rdp-from-campus.zip as a reference template.

See Also:

Commonly Referenced Docs:

UW Madison Public Cloud Team Events
Online Learning Classes for Cloud Vendors
What Data Elements are allowed in the Public Cloud